Cloud and Confidential Computing ...

(To Alessandro Rugolo)
30/11/20

For years, the IT security experts of private companies and public organizations have been faced with the innovative push of new services, generically identified under the categorization of Cloud Services. Services that promise cost savings and a higher level of security. 

As you can well understand, any solution that promises heaven must be carefully evaluated, I would say that in these cases it is necessary to be skeptical and investigate. In fact, the vulnerabilities of new systems often come by surprise, and usually not immediately.

I read an interesting news from AMD announcing an agreement with IBM in the field of Confidential Computing and Artificial Intelligence. 

While everyone knows what Artificial Intelligence is (or at least have heard of it), probably not many people know what is meant by Confidential Computing.

Il Confidential Computing is a cloud computing technology that allows you to isolate sensitive data during their processing in the cloud. In fact, data needs to be protected at different times: when it is stored in databases, when it moves along networks and, last but not least, when it is processed. 

Regarding the protection in databases and along networks, encryption techniques are generally used, but when the data is processed (in principle) they must be in the clear and this is a risk to be taken into account. The technologies of Confidential Computing they deal precisely with the security of data being processed in the cloud environment.

Some may wonder if the Confidential Computing it is important (or in other words if and what are the risks that are run by using cloud technologies), well the answer can be found in the reports of the companies that deal with cyber risk analysis, among these I mention only one, McAfee, which is well known as an antivirus manufacturer. If we read the "Cloud adoption and Risk Report" it is possible to better understand what are the trends regarding the risks associated with the adoption of the Cloud and therefore understand what risks are run in using cloud technologies. 

Not everyone will read the report, but I can tell you in a nutshell that there are risks and they must be taken into account. Not only I say this (who am I to do it?) But the same companies that provide cloud services affirm it, with their behavior.   

To confirm the above, let's take a look at a recently created consortium: the "Confidential Computing Consortium" (CCC), of the Linux Foundation. The CCC aims to deepen the security of cloud systems and technologies and is a consortium involving Alibaba, ARM, Baidu, IBM, Intel, Google, Microsoft, Red Hat, Swisscom and Tencent. Anyone who has a clue what these companies represent can understand how important the "problem" of Confidential Computing is.

I close this article with a simple question: when data was processed by proprietary software on IT infrastructures held by the customer, it was the customer who had to ensure the maintenance of a safe environment for his data and who responded for what happened, even in front of to the law, but now? Now the data belongs to the customer, but the services are external (on the cloud) and the IT infrastructure is the Cloud (at least in the case of SaaS), managed in all respects by the service provider ... who is responsible for their safety?

Let it be clear, in recent years, organizations and companies of all kinds have often and willingly demonstrated that they are unable to protect their data and infrastructures, thanks to the complexity, the speed of change in technologies and the low investments in training and technological update. 

The responsibility in the event of a cyber incident in a cloud environment is, in some respects, shared, customer and service provider must therefore work together, and it is not easy.

I believe that the answer is still to be found between the lines of the CCC. That's why the world's leading cloud service providers are working together to define new cloud security standards.

To learn more:

IBM and AMD Announce Joint Development Agreement;

IBM And AMD Announce Joint Development Agreement To Advance Confidential Computing For The Cloud And Accelerate Artificial Intelligence - BW CIO (businessworld.in);

What is Confidential Computing? | IBM;

Vast majority of cyber-attacks on cloud servers aim to mine cryptocurrency | ZDNet;

Data in Cloud is more exposed to Cyber ​​Attacks than in organizations - Cybersecurity Insiders (cybersecurity-insiders.com)

- SaaS: Software-as-a-Service (SaaS) Definition (investopedia.com)